That Nobel invite? Mr. Malware sent it

This weekend, staff at CPJ received a personal invitation to attend the Oslo awards ceremony for Nobel Peace Prize winner Liu Xiaobo. The invite, curiously, was in the form of an Adobe PDF document. We didn't accept. We didn't even open the e-mail. We did, however, begin analyzing the document to see was really inside that attachment, and what it was planning to do to our staff's computers.

NGOs and journalists who work or
report on human rights issues in China now regularly receive e-mailed
attachments, often PDFs, which on closer examination prove to be malicious code
sent from unknown sources. These attachments contain embedded programs that
execute when the file is opened, and take advantage of local security flaws to
install concealed software on their victims' machines.

This secret software can delete or
create files, commandeer the computer for cyber-attacks on other targets, or
just sit and record keystrokes and network traffic, which it will then report
to a remote "command-and-control" server elsewhere on the Net. A
computer with this malware installed is an open book to whoever is controlling
the program.

Malware is a problem for everyone.
We're all used to shady characters spamming us e-mail with enticing subject
titles. But vulnerable journalists and activists receive far more sophisticated,
customized messages that use narrow intelligence about their contacts and
interests in order to trick their recipients into opening them. This Nobel e-mail,
for instance, was sent from a colleague at a known NGO who I've personally met
and who has invited CPJ to events in Oslo previously. The PDF, when opened,
showed a legitimate-looking invitation with the organization's logo and the
signature of the NGO's founder.

We weren't the only ones to receive
this e-mail. Mila Parkour, a D.C. computer security analyst who runs the
Contagio Blog, was sent a sample of the message from another victim, and has
provided a full analysis of it on her site.

The attack exploits a known bug that appears in all but the very
latest versions of Adobe Acrobat Reader. (Such bugs pose a serious risk, but
are not as dangerous as what's known as a "0 day" attack, where a
previously unknown bug in the most current version of the vulnerable program is
exploited for the first time. Last month, the Nobel Peace Prize site itself was hacked, and a 0 day Firefox exploit was used to attack anyone who visited
it.

The invite PDF doesn't contain the
invitation text. Instead, it has a simple test message, "Hello
World!", and a complex set of extra data that exploits the bug and runs an
additional piece of code which has no connection to displaying a PDF. This code
saves a new file on the users' hard drive and runs it. It also displays a
convincing fake invite, on the organizations letterhead and signed by its
founder, to cover its tracks. Finally, the new file is run, connects to a
server in Bengbu, China and awaits further instructions.

By the time security experts had
examined the malware, the command-and-control server in Bengbu had shut down.
It's likely that we'll never know what the intention behind the attack was, who
devised it, or how many people were infected.

I spoke to the person whose identity
was used as the sender of the mail. He theorized that the template for the e-mail
originally came from a genuine message he sent to a Chinese dissident, whose
computer was compromised by an earlier cyber-attack. The same attackers used
their capability to read this activist's e-mail to copy it and then sent their
version to the dissident's contact list, which they had also obtained.

Is there anything we can learn to
better protect those targeted for these attacks?

Firstly, the danger of customized
attacks by e-mail should not be overstated. Just because these files are
custom-made for a small group doesn't mean that mass-market computer security
software can't spot them.

While the e-mail, PDF and payload
are all unique in this case, there are still many characteristics of the PDF
that will trigger warnings in most anti-virus software. If you're a vulnerable
journalist, use anti-virus software that can scan incoming mail. Keep your
software updated, especially programs like Adobe Acrobat
Reader, Adobe Flash, and your web browser. And, of
course, you should be on the lookout for suspicious attachments, even sent by
people you know.

We all need to be more aware of the
risks that compromised computer security can create for our colleagues and
contacts.

My sense is that the motive for this
attack was to expand a small set of compromised systems to a much wider network
of "persons of interest". Such a network is useful, not because any
of the recipients are specific targets, but because collectively their
computers can provide valuable intelligence -- either gathered directly by a
nation's security services, or by a group that trades in such intelligence to
interested parties.

Journalists need to protect their computer
security for their own safety, but also to prevent them becoming unwitting accomplices
to the surveillance, and worse, of their contacts and sources.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.